Google Offers $200,000 for TrustZone, Verified Boot Exploits

Google this week announced increased rewards for security researchers reporting Android TrustZone or Verified Boot exploit chains. The company is now willing to pay up to $200,000 for such compromises, and will pay up to $150,000 for remote kernel exploits.

The awards are offered as part of the company’s Android Security Rewards program, which turned two this week. The Internet giant paid over $1.5 million in bounties to security researchers reporting Android vulnerabilities over the course of two years, and is looking to pay even more in the future.

During its two-year run, Android Security Rewards has attracted a large number of security researchers, and Google received over 450 qualifying vulnerability reports from the participating researchers over the past 12 months alone.

The total program payout doubled to $1.1 million dollars, and the average pay per researcher jumped by 52.3% compared to the first year, Google says.

During the program’s second year, the Internet giant paid $10,000 or more to 31 researchers, and also paid the top research team, C0RE Team, over $300,000 for 118 vulnerability reports. Over the course of a year, the company paid 115 individuals with an average of $2,150 per reward and $10,209 per researcher.

Unfortunately, none of the reports received over the two-year period included a complete remote exploit chain leading to TrustZone or Verified Boot compromise, which would have received the highest award amount available through the program.

Because no researcher claimed the top rewards in two years, the company decided to make changes to all vulnerability reports filed after June 1, 2017 and stir researchers’ interest by significantly increasing the top-line payouts for exploit chains that could claim them.

Thus, the rewards for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise were increased from $50,000 to $200,000, while those for a remote kernel exploit went from $30,000 to $150,000.

“In addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates,” Mayank Jain and Scott Roberts, Android Security team, say.

According to Jain and Roberts, there are over 100 device models with a majority of devices running a security update released within the past 90 days. Furthermore, numerous models run a security update from the last two months, including Google Pixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9.

Various smartphone models from manufacturers such as BlackBerry, Fujitsu, General Mobile, Gionee, LGE, Motorola, Oppo, Samsung, Sharp, Sony, and Vivo also run security patches released over the past two months.